Cybersecurity firm Proofpoint has identified two new variants of the IcedID loader malware that have been used in seven campaigns by three distinct threat actors since late 2022. The new versions, called “Lite” and “Forked,” have a more narrow-focused feature set and do not have the usual online banking fraud functionality.
Instead, they focus on installing further malware on compromised systems, with an emphasis on ransomware.
The “Lite” variant was first seen in November 2022, while the “Forked” version was first observed in February 2023. The latter was distributed through thousands of personalized invoice-themed phishing emails, using Microsoft OneNote attachments to execute a malicious HTA file that runs a PowerShell command.
The “Forked” version is similar to the “Standard” version in terms of its role, but uses a different file type and features additional domain and string-decryption code. Meanwhile, the “Lite” variant is lighter, at 20KB, and does not exfiltrate host info to the C2, making it stealthier and leaner.
IcedID is usually used for initial access by threat actors, but the development of new variants signals a shift towards specializing the bot to payload delivery.
While most threat actors are expected to continue using the “Standard” variant, Proofpoint predicts that the deployment of new IcedID versions will likely grow, with more variants possibly emerging later in 2023.
